Bug 8026

Summary: A particular animated SVG crashes in filter code
Product: WebKit Reporter: Maciej Stachowiak <mjs>
Component: SVGAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: bjoern, oliver
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.bjoernsworld.de/temp/eventflow2.svg
Attachments:
Description Flags
testcase for brokeness
none
patch with detailed change log and a layout test eric: review+

Maciej Stachowiak
Reported 2006-03-28 02:13:42 PST
The following SVG will likely be linked from a future w3c specification document: http://www.bjoernsworld.de/temp/eventflow2.svg It would be nice if WebKit didn't crash on it. It dies from an uncaught ObjC exception apparently: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x017a93da ReportBlockedObjCException(NSException*) + 76 (BlockExceptions.mm:35) 1 com.apple.WebCore 0x017ce3cc WebCore::KCanvasFEMergeQuartz::getCIFilter(WebCore::KCanvasFilterQuartz*) const + 202 (KCanvasFilterQuartz.mm:642) 2 com.apple.WebCore 0x017ccb1a WebCore::KCanvasFilterQuartz::getCIFilterStack(CIImage*) + 170 (KCanvasFilterQuartz.mm:145) 3 com.apple.WebCore 0x017ccc63 WebCore::KCanvasFilterQuartz::applyFilter(WebCore::FloatRect const&) + 211 (KCanvasFilterQuartz.mm:115) 4 com.apple.WebCore 0x017d077f WebCore::KCanvasContainerQuartz::paint(WebCore::RenderObject::PaintInfo&, int, int) + 2957 (KCanvasResourcesQuartz.mm:157) 5 com.apple.WebCore 0x018edd5a WebCore::RenderBox::paint(WebCore::RenderObject::PaintInfo&, int, int) + 92 (RenderBox.cpp:266) 6 com.apple.WebCore 0x017d0713 WebCore::KCanvasContainerQuartz::paint(WebCore::RenderObject::PaintInfo&, int, int) + 2849 (KCanvasResourcesQuartz.mm:154) 7 com.apple.WebCore 0x018edd5a WebCore::RenderBox::paint(WebCore::RenderObject::PaintInfo&, int, int) + 92 (RenderBox.cpp:266) 8 com.apple.WebCore 0x017d0713 WebCore::KCanvasContainerQuartz::paint(WebCore::RenderObject::PaintInfo&, int, int) + 2849 (KCanvasResourcesQuartz.mm:154) 9 com.apple.WebCore 0x018f529e WebCore::RenderCanvas::paint(WebCore::RenderObject::PaintInfo&, int, int) + 220 (RenderCanvas.cpp:161) 10 com.apple.WebCore 0x019146f4 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, bool, bool, WebCore::RenderObject*) + 1284 (RenderLayer.cpp:1145) 11 com.apple.WebCore 0x01914891 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, bool, WebCore::RenderObject*) + 67 (RenderLayer.cpp:1052) 12 com.apple.WebCore 0x0183ecee WebCore::Frame::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) + 484 (Frame.cpp:2727) 13 com.apple.WebCore 0x01872f19 -[WebCoreFrameBridge drawRect:] + 183 (WebCoreFrameBridge.mm:924) 14 com.apple.WebKit 0x0035c279 -[WebHTMLView drawRect:] + 879 (WebHTMLView.m:2497) 15 com.apple.AppKit 0x933f1957 -[NSView _drawRect:clip:] + 3228 16 com.apple.AppKit 0x933efe39 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1273 17 com.apple.WebKit 0x00353cbb -[WebHTMLView(WebPrivate) _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 351 (WebHTMLView.m:747) 18 com.apple.AppKit 0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 19 com.apple.AppKit 0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 20 com.apple.AppKit 0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 21 com.apple.AppKit 0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 22 com.apple.AppKit 0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 23 com.apple.AppKit 0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 24 com.apple.AppKit 0x933f05e7 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 3239 25 com.apple.AppKit 0x933ef120 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 290 26 com.apple.AppKit 0x933ee90c -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 523 27 com.apple.AppKit 0x933ee23c -[NSView displayIfNeeded] + 439 28 com.apple.AppKit 0x933edfde -[NSWindow displayIfNeeded] + 168 29 com.apple.Safari 0x0001bd9c 0x1000 + 109980 30 com.apple.AppKit 0x9343e28c _handleWindowNeedsDisplay + 206 31 com.apple.CoreFoundation 0x90823419 __CFRunLoopDoObservers + 342 32 com.apple.CoreFoundation 0x908224bb CFRunLoopRunSpecific + 827 33 com.apple.CoreFoundation 0x90822179 CFRunLoopRunInMode + 61 34 com.apple.HIToolbox 0x92ed28e0 RunCurrentEventLoopInMode + 285 35 com.apple.HIToolbox 0x92ed1fe7 ReceiveNextEventCommon + 385 36 com.apple.HIToolbox 0x92ed1e3e BlockUntilNextEventMatchingListInMode + 81 37 com.apple.AppKit 0x93372ad1 _DPSNextEvent + 576 38 com.apple.AppKit 0x933726be -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 39 com.apple.Safari 0x00006a3a 0x1000 + 23098 40 com.apple.AppKit 0x9336c443 -[NSApplication run] + 512 41 com.apple.AppKit 0x93360397 NSApplicationMain + 573 42 com.apple.Safari 0x0005ef22 0x1000 + 384802 43 com.apple.Safari 0x0005ee3d 0x1000 + 384573
Attachments
testcase for brokeness (678 bytes, image/svg+xml)
2006-03-28 03:09 PST, Oliver Hunt 		no flags
Details
patch with detailed change log and a layout test (10.67 KB, patch)
2006-03-29 08:31 PST, Darin Adler 		eric: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Maciej Stachowiak
Comment 1 2006-03-28 02:14:18 PST
Even though it's "just SVG", this is likely to be a high profile example of crashiness if we don't fix, so bumping to P1.
Oliver Hunt
Comment 2 2006-03-28 03:09:00 PST
Created attachment 7354 [details] testcase for brokeness
Oliver Hunt
Comment 3 2006-03-28 03:14:04 PST
My brief look into this makes me think that feMerge is not assigning the default image for a node in feMerge. This results in an image source name, name, of type DeprecatedString, DeprecatedName::getNSString() seems to produce something borken when the string is length 0 (gdb can't look at it certainly). Leading from this [m_imagesByName valueForKey:name.getNSString()] fails with an index out of bounds exception.
Oliver Hunt
Comment 4 2006-03-28 03:15:12 PST
Maciej didn't appear to actually bump to P1, i am attempting to do so
Maciej Stachowiak
Comment 5 2006-03-28 14:54:46 PST
I bet the problem is that DeprecatedString is a null string instead of an empty string.
Darin Adler
Comment 6 2006-03-29 08:05:34 PST
(In reply to comment #5) > I bet the problem is that DeprecatedString is a null string instead of an empty > string. Turns out it's an empty string. But -[NSDictionary valueForKey:] has a bug where it will fail for the empty string. I filed a bug about this. Fix is to check for the empty string before calling valueForKey:.
Darin Adler
Comment 7 2006-03-29 08:06:53 PST
(In reply to comment #3) > DeprecatedName::getNSString() seems to produce something borken when the string > is length 0 (gdb can't look at it certainly). No, that part is working fine. > Leading from this [m_imagesByName valueForKey:name.getNSString()] fails with an > index out of bounds exception. This is the immediate cause of the crash. It's a bug in NSDictionary's valueForKey:, which should not raise an exception in this case.
Darin Adler
Comment 8 2006-03-29 08:10:53 PST
Using valueForKey: here is a mistake anyway. This should just be calling objectForKey:, which works fine with empty strings.
Darin Adler
Comment 9 2006-03-29 08:31:21 PST
Created attachment 7374 [details] patch with detailed change log and a layout test
Note You need to log in before you can comment on or make changes to this bug.